mobile

Skip to Navigation | Skip to Content |

• home
• your needs
  You can read about our services, the sectors we work in, our product ranges and how we can help you in your role by using the links below.

  • services

  • To view an a-z list of our services, click the link below.

  • view all services

  • sectors
  • health
  • public sector
  • private & public listed companies
  • insurance

  • products
  • basics
  • checker
  • tracker
  • navigator
  • reform
  • lawsure
  • quickcall
  • learn

  • your role
  • in house legal
  • managing a business
  • insurance claims
  • procurement
  • finance
  • human resources
  • property management
  • marketing

  • training
  • seminars
  • webinars
  • podcasts
  • BIIAB
  • delegate centre
  • claims club
• about us
  You can find out more about us, the training we offer, our news and publications and how to contact us, by using the links below.

  • our business
  • fast facts
  • international
  • our awards
  • our client charter
  • professional memberships
  • our technology
  • corporate social responsibility
  • groupe francais

  • contact us
  • our people
  • management team

  • press office
  • press releases
  • articles
  • press coverage

  • resources
  • bulletins
  • legal updates
  • clarity guides
  • transaction updates
  • consultation papers
  • survey reports

  • case studies

  • To find out more about what we've been working on, click the link below to search our case studies.

  • view all case studies
• join us

article

Data Protection: Getting up close & personal

16 October 2008

Until recently, data protection law had not often been headline news.  The recent (numerous) high profile losses of personal information by various public authorities – most notably the loss by HMRC of the personal information of 25 million people –put an end to that.  Richard Thomas who heads the Information Commissioner’s Office (ICO), the body responsible for regulating and enforcing the Data Protection Act, summed up the sea-change that needs to take place:

“Twenty five million records going missing from the HMRC is one of the most significant breaches in the history of data protection. This incident and its aftermath mark a turning point for data protection in the UK. Safeguarding large amounts of personal information – valuable assets for any organisation – has to be taken seriously from the top. The UK Data Protection Act provides the framework to handle personal information correctly. Whilst the majority of organisations process people's personal information in line with data protection requirements, the onus is on every organisation - and every leader within that body - to ensure there are clear lines of accountability to stop things from going badly wrong.”

But organisations are taking a while to catch up with the message from the ICO.  As recently as October it has been revealed that the Ministry of Defence has lost the personal information of 1.7 million applicants to and employees of the armed services.

Recent changes

In the wake of these recent massive breaches of the Data Protection Act, the Government has pushed through amendments to that Act which should now leave organisations in absolutely no doubt that safeguarding personal information held by them is vital. 

New criminal sanctions

The Act has been changed such that organisations and their relevant officers who ‘recklessly’ breach the ‘Data Protection Principles’ (which enshrine the key aims of the Act) may, in the very near future, be fined a significant sum by a crown court.  Details of exactly how significant the levels of the fines system to be put in place are to be released by the Government in the next few weeks.

The Act (amongst many other obligations) requires, through the ‘Seventh Data Protection Principle’, that fire authorities (along with all other data controllers) “…take appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

Given the nature of electronic storage devices like laptops and memory sticks, it is never possible to eradicate the risk of their loss or theft.  However, it is the case that all fire authorities should have policies in place to ensure that such loss or theft does not compromise employee and other personal information.  It is likely that such policies should include a clear notice that laptops containing personal information should not be left in cars even if those cars are locked.

Richard Thomas has specifically stated that anyone (whether employee or data controller) holding personal information should know the basics of encryption to protect such information.  Clearly fire authorities will need to review whether such knowledge amongst its employees and officers exists and, if it doesn’t, put in place training and, if necessary, invest in the relevant software to enable encryption.

Dawn raids

In addition to increasing the criminal sanctions when things go wrong, the ICO is seeking the right to be able to conduct ‘dawn raids’ on the premises of data controllers (including fire authorities) without notice so that it can take a proper ‘snapshot’ of the compliance by the relevant organisation with the Act and the data protection principles under it.

Protecting your data

So what else can your fire authority do (in addition to complying with the other obligations under the Act) to ensure that it doesn’t fall foul of the rules surrounding information security under the Seventh Data Protection Principle?  Fire authorities should:

• ensure that there are policies on taking staff and third party personal information off-site and the use of mobile computing and memory sticks, etc;
• ensure that these policies are properly communicated to employees and enforced;
• invest time in ensuring that they implement ISO 17799 on Information Security Management (available from www.iso.org) which sets out very practical guidance on data security – from the siting of computers and use of ‘mobile computing’ facilities to the use of fax machines for sending personal

save to PDF